Securing Social Media: National Safety, Privacy Concerns

It's a critical time for social media platforms and the government agencies and private businesses and individuals using them.

RSA CONFERENCE 2018 – San Francisco – Governments and businesses around the world are navigating concerns around social media, which is playing an increasingly important role in both national and enterprise security.

Cyberspace is redrawing borders we haven't seen before, said James Foster, CEO at ZeroFOX, in a session entitled "POTUS is Posting: Social Media and National Security." Borders between people, once based on geography, are now based on apps. He presented a graphic illustrating their size: Facebook has 2 billion users, YouTube has 1.5 billion, WhatsApp has 1.2 billion, WeChat has 938,000.

"Social media is unavoidable," said Dr. Kenneth Geers, senior research scientist at Comodo Group. Platforms like Twitter and Facebook have greater influence on national security as they become a communication tool for global leaders and an attack vector for threat actors.

The presenters turned to the example of President Donald Trump, who is notorious for sharing updates and making national policy decisions on Twitter. Geers pointed out how the former Secretary of State, who didn't have a good relationship with the President, printed tweets to see the foreign policy of the day from the White House. Earlier on April 18, Trump tweeted an update stating CIA director Mike Pompeo had recently met with Kim Jong Un in North Korea.

"I promise you, people are printing out this tweet to figure out what to do today," said Geers. "The power of social media, to some degree, speaks for itself."

In this sense, Foster said, modern social media is the technological medium for sharing messages the same way television was decades ago. "Like it or not, regardless of the side of the aisle you're on, this is the new communication form for government, and it's not going to go away," Foster said. "Of course war can be declared on social media, for the first time in history."

The power and reach of social media extends to threat actors, who are leveraging it as a platform in increasingly large and dangerous attacks. It's a perfect area for information operations and false accounts; after all, social media provides the perfect amount of anonymity and distance for attackers to fire their virtual weapons from afar.

We should believe half of what we hear and see on social media, said Geers. When it comes to national security, everything is suspicious. Accounts and activity are easy to fake. As an example of account hijacking, he pointed to a fake Twitter account for the US Central Command. The account had a broad reach of 110,000 followers, giving its owners a great deal of influence.

"Social media and cyberattacks are more important than we think if they have any impact on national security at a high level," Geers noted.

In the private sector, one of the biggest threats to the business will be fraudulent and spoofed accounts, Foster pointed out. With social as their platform, attackers can get to the two most important groups of enterprise targets: employees and customers. It puts businesses in a strange position: to what extent do employees' social media accounts pose a threat? How do they govern social media? Are they responsible for protecting employees' accounts?

Foster and Geers outlined several steps organizations can take to lessen the risk of social media-based threats in the enterprise. Their recommendations: work with the communications teams to build a social media policy and dictate what can and cannot be posted. Tell employees how to report abuses and potential threats. Teach best practices for hardening their accounts, and establish a policy around breach notifications and lost credentials.

Data Privacy: An Ongoing Issue

Alongside national security, data privacy is another critical issue facing social platforms and users today. A few days ago, Facebook shed more light on its privacy practices. The social media giant has been in the thick of controversial congressional hearings on how it uses customer data, and its account holders want to know what's going on.

People are placing higher value on their privacy and showing greater concern for how companies use their information. In a 10,000-person study conducted by Harris Poll and sponsored by IBM, researchers found 78% of US respondents say an organization's ability to keep their data private is "extremely important" but only 20% "completely trust" them to do so.

In one post, Facebook explained its reasoning for collecting data when users aren't on the platform. Several websites and apps use Facebook services, like its login and analytics tools, to personalize their content. When users visit a site or app that uses its services, Facebook gets info even when the user is logged out - or doesn't have a Facebook account at all.

"There are three main ways in which Facebook uses the information we get from other websites and apps: providing our services to these sites or apps, improving safety and security on Facebook, and enhancing our own products and services," wrote product management director David Baser in a blog post discussing its data usage and users' information control.

In a follow-up post the next day, Erin Egan, vice president and chief privacy officer for policy, and vice president and deputy general counsel Ashlie Beringer explained how Facebook is complying with new privacy laws and adding new protections.

As part of continued privacy efforts, Facebook plans to ask for users' input on various aspects of their activity on the platform. People will be able to weigh in on ads based on data from Facebook partners, information in their profiles, and facial recognition technology. It's also rolling out new GDPR-compliant tools to access, delete, and download information.

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Those are high level categories for why facebook gathers data but I find they can be somewhat ambiguous as to what data they correlate. I think a good exercise would be to have those three categories mapped to data sets provided by the user and an privacy agreement from the user for agreement in accordance with providing those data sets.

Similar to how private sectors set policies to "try" and control the data flow into the social media ether, the same approach should be true for public sectors. Regardless of what side of the political fence you are on, tweets around the ongoings of the United States need to be vetted. They should not come from one individual before this validation because there can and will be implications towards national security.

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed...

An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted X...